Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Shibboleth and WebAuth II

Russ Allbery eagle at windlord.stanford.edu
Fri Dec 9 11:34:08 PST 2011


Petr Grolmus <indy at civ.zcu.cz> writes:

> sorry for the delayed response to your mail. Your advice was really
> helpful and now we have a simple implementation of shibboleth module
> useful for forced re-authentication in connection with WebAuth 4.x. We
> hope, this solution is both robust and secure, so we ask you (and of
> course anyone who cares) for public review of this solution.

> The description in detail and the module itself are accessible at
> http://support.zcu.cz/java-idp-webauth-login-handler

This looks great.

For the other factors, at least with the current implementation you can
treat WEBAUTH_SESSION_FACTORS of o as being equivalent to p for your
purposes; those will only be expressed if the user just authenticated with
a one-time password.  x is a little trickier, since in theory that could
mean authenticating with a certificate cached in their browser, which may
not constitute forced authentication for your purposes, but I'd be
inclined to allow it as well.

m and k should not count as authentications for this purpose.

Note that it's theoretically possible (although it won't happen in the
current available code paths) for WEBAUTH_SESSION_FACTORS to be set to
something like p,c,m.  I think that should probably also count as p for
your purposes (and the redirect helper would pass it, so it probably has
to or you'll just get a loop).  This can happen when the user has a single
sign-on cookie that says they authenticated with OTP or some other method
but then you forced password authentication.  So if you're not already,
you probably want to split on comma and then see if p is included, rather
than checking whether the string is exactly equal to p.

These are all minor bits, though.  The basic idea is great.  I didn't look
at the source, but everything seems fine from the description.

Can I add a link to this from the WebAuth pages?

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University


More information about the webauth-info mailing list